macOS users unable to connect to GP with Error “CSSMERR_TP_CERT_SUSPENDED” on PanGPS.log

macOS users unable to connect to GP with Error “CSSMERR_TP_CERT_SUSPENDED” on PanGPS.log

15547
Created On 07/22/22 05:47 AM - Last Modified 01/12/24 22:26 PM


Symptom


  • Some MAC OS users are unable to connect to Global Protect. 
  • PanGPS logs display "error = “CSSMERR_TP_CERT_SUSPENDED” 

Environment


  • macOS: 12.4.0 (and higher)
  • Supported GlobalProtect (GP) client
  • Supported PAN-OS

Cause


  • Server certificate does not meet the newer macOS requirement documented here.
  • TLS server certificates must have a validity period of 825 days or fewer on macOS.

Resolution


  1. Create a new GP server certificate meeting the apple's certificate requirements https://support.apple.com/en-us/103769
  2. Use the new certificate in the SSL-TLS profile used for GlobalProtect Portal/Gateway.
  3. Commit the configuration.

Additional Information


Certificate Config for GlobalProtect
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000CqijCAC&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language